Next Level Interop Testing in QUIC

As TrueNuff.tv demonstrated in their “Does it blend?” series, by using a blender you will find out what things are really made of. Inspired by this, wolfSSL sponsored a new QUIC related test suite for the ngtcp2 project. What does it do and how does it help you in using wolfSSL?

Ngtcp2 is the leading open source QUIC implementation. We added wolfSSL support to it, as covered in our blog. Next to wolfSSL, most other TLS/SSL libraries are also supported: the quictls fork of OpenSSL, BoringSSL, GnuTLS, picotls. Libressl is expected to join soon. (OpenSSL itself is missing and is not expected to play a role in QUIC for the foreseeable future. We covered that in the mentioned blog post.)

What you as a user of wolfSSL are most interested in is not only that you get state-of-the-art TLS, but that it communicates correctly and efficiently with all the other TLS libraries out there. Now and for all future releases coming. 

QUIC’s use of TLS is very similar to TCP, but there are some differences. By testing TLS libraries against each other in the context of QUIC, we can verify not only interop for QUIC itself, but stress combinations of features and configurations that are used in “normal” TLS connections as well.

The Blender

The ngtcp2 test suite has become part of ngtcp2 itself. It is added to its CI on github, so all future development and new releases – of wolfSSL and all other TLS implementations – are always verified.

You can run this yourself. On ngtcp2’s github are the instructions to checkout and build it yourself. The new test suite has its own README, explaining how to use it. The test suite is based on Python’s pytest and should run on all platforms that support it.

There are “examples” server and client executables in ngtcp2, one for each TLS library that you configured. Should you only configure `–with-wolfssl`, only the wolfSSL server and client are built. The test suite then verifies in various scenarios that they interoperate.

If you configure more TLS libraries in ngtcp2, say `–with-wolfssl –with-openssl`, then you get two servers and two clients. The tests then try all possible combinations: wolfssl-wolfssl, openssl-openssl, openssl-wolfssl and wolfssl-openssl. Meaning, you do not need all the TLS libraries to run the blender on your machine.

Should you develop your own QUIC application, the test suite is an excellent place to verify it. It runs executables against each other. It is fairly straightforward to modify it for your own purposes.

We are, for example, currently considering how to use it for testing curl, the swiss army knife for internet transfers, sponsored by wolfSSL. We added wolfSSL QUIC support in curl, using ngtcp2, and the test coverage there needs to be extended as well.

For All

We think by donating this test suite to the ngtcp2 project, it’ll serve everyone best. We could have made it part of wolfSSL’s CI suites, but that would be a barrier for other TLS projects to pick it up. Also, should interop problems arise, let’s say between GnuTLS and BoringSSL, we do not really want to be involved in resolving it.

This aspect of OSS where things can be added and stay accessible where they make most sense is a real strength. We are happy to contribute.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.